Discussion in 'other security issues & news' started by Brandonn2010, Jun 11, 2013.
You've heard it here first. Computers don't get infected, it's all just lies.
"Moving users from Windows XP is becoming more of a priority for Microsoft as we get closer to the official retirement date, so the company continues to urge everyone to embrace Windows 7 or Windows 8."
Translation from MickeySpeak to UnderstandableSpeak:
Moving XP users money into the bank of Redmond is becoming more of a priority for Microsoft as we get closer to the totally unnecessary and forced official retirement date, so the company continues to urge everyone to spend loads of dosh on totally new hardware running Windows 7 (technically not available) and Windows 8 (technically a bit of a marketing disaster).
The question is: How do they get infected? Are any of those infected due to an "insecure" O.S, or due to an ignorant user who downloads and installs all kinds of crap, who opens all kinds of e-mail attachments without really caring about the source of such files, etc? Are any of those infected due to pirate versions of the operating system/other pirated applications and therefore afraid of upgrading to the newest versions, hence vulnerable to being infected as well?
Don't take me wrong, but back in the Windows 95 days I was ignorant and I enjoyed blaming the O.S. I learnt my lesson well, though.
Every infection is due to an insecure OS. But, more specifically, in the case of exploitation, it's the OS that makes the difference for local exploits, as well as remote, due to ASLR/SEHOP among other things.
I know some people will not like to hear the truth but the average user is not techie enough to secure a computer "hence the state of infections"
That's my opinion, yes.
Well, you for sure know way more than I, but what about a piece of malicious malware (installed accidentally by a clueless user) that just does damage to data and doesn't really exploit the OS in any way?
Yes, even a socially engineered malware would be the operating systems responsibility, in my opinion.
HM - I have to disagree with that in most vehement terms. You can't reasonably expect an OS to do the user's thinking for them.
(And the day you reasonably can is the day that I throw out all my electronics and join a low-tech commune somewhere in the Rockies.)
I don't see how either, but I'm willing to listen....
I can reasonably expect an OS to make security decisions. When an infection occurs it's the operating systems fault. A weak OS is the cause for any infection that isn't entirely deliberate (ie: the user knows the file is malicious and chooses to install it anyways).
It doesn't require locking the user out of their system, or removing their rights. I'm not advocating a walled garden approach, since I don't think walled gardens work long term.
Not much to say. Or maybe too much to say. I could probably have a really long discussion about it, but essentially, from what I've seen and learned about computers and security, I think that security has to come from the OS. I don't think that securing a system means restricting users, I do think it means that the operating system policies have to be built around users having the ability to run and install whatever they want.
There was a banking trojan in the wild that used some sort of memory execution. And I thought it should be more common by now and I should have one of my PCs(a netbook with limited space) gotten infected already in that it is with an unupdated XP in admin with lots of oldapps(vulnerable with lots of holes) but with layered redundant security setup. It's safe to say that to an expert user like him with a properly configured setup, there's should be no problem even with an OS or oldapps full of holes unless targeted.
With memory execution, to create persistence, it has to migrate to another persistent process and elevate privileges(non issue with admin setup) and would still need to write to survive the next reboot.
To prevent memory malware to migrate to another persistent process, the HIPS on that system and others is painfully configured to be alerted if that scenario should happen. Never had an alert except for deliberately testing memory POCs. HIPS should be alerted to if any file, folder and registry modification should happen even if memory execution managed to bypass execution alert. Notwithstanding because of that, it's safeguarded even against social engineering, i.e, clicking on any links or attachments or files or executables or installers, etc.
I would scan offline and never had an infection of that type and for every other type for so many years.
Not that it's a good suggestion for everyone to not update. It's not.
Call it luck or security by obscurity or security by diversity, it works.
You can find "end of support information" -
1. A good part of infections have nothing to do with the OS being insecure, but with the user making bad decisions (that includes social engineering attacks).
2. Hungry Man, your vision about an OS security is more of an utopia than a real possibility. Sure, maybe there are people who would like the OS to protect them from themselves, but this is not going to happen. IMO, nothing can protect your from yourself, both in the real world and in the computer world.
I got a trojan once through being a bit naive. No OS can be that invulnerable surely, just like no AV will have a 100% detection rate. Any lock can be picked, they reckon.
Let's keep it simple. With that in mind, how is the operating system suppose to know the difference between a script that monitors the keyboard and one other that also monitors the keyboard? One is malicious (because its sending info to outsiders) and the other isn't malicious, because it was actually developed by me?
The only malicious action is the fact that one is sending information to outsiders, and one I know nothing about and that's even in my system doing its thing. They're the same, just the destination of the data that changes.
The operating system can't make a difference.
Anyone can make a search on their favorite search engine and actually look for a keylogger created with some scripting language, including PowerShell and simple make a few changes to change the destination of the data. Same script/same code. Reading keyboard is actually pretty standard, otherwise I wouldn't even be able to write this post.
It's not really about being invulnerable. It's just about having the OS be what enforces policies and security. I personally see a solution to socially engineered malware that an OS can enforce - though don't expect me to talk about it publicly lol you'll find out later.
We'll just have to agree to disagree for now.
There's really no way for an operating system to detect anything - the simpler the item is the more difficult it is to detect. If it's seen the item before, sure, it can detect. But otherwise it can't. Detection isn't really going to save anyone, it's better for cleanup.
See above agreement =P. There are ways an OS can protect you that security companies can't seem to grasp, because they're too worried about their backwards systems.
I am not stating that an operating system can provide 100% security. Nothing can provide 100% security, it's all a matter of attackers. I'm saying that an operating system has to be the entity to enforce security policies, and that when an infection occurs it's the fault of the OS, and no one else.
Oh ... OK ..
In my case I was on a Russian site in SeaMonkey with no adblocker & not using NoScript. A flash ad got me with a drive-by. Luckily Google Translate warned me of the malware & SUPERAntiSpyware removed it. My AV (Norton) had no idea. I've never trusted any AV since.
AVs work on detection. They'll always be behind. They can't do anything against an attacker who cares about them. I've personally talked to botnet operators and hackers (not the good guys) and their opinions of AV are just as low as you'd expect. They're not defenders, and it's not really their job to think about what makes a system harder to attack, but they know what people run, and they know how much money they make, and that's pretty much all it is.
One of them had something funny to say, when I said I wanted to develop security software. "Lol, why? You'll always lose". Because right now that's where we're at. We're on a losing side lol and it's because the security industry has barely changed in 30 years. And I think people have been taught to blame users instead of the failed products.
I agree with the O.S being the entity enforcing the security policies. I also agree that if an attacker uses the O.S own flaws to compromise it, then it's the O.S that is at fault. But, I disagree about the rest - that the user is not at fault. The user is at fault when the O.S is not at fault.
Also, you seem to be contradicting yourself. You say that I am not stating that an operating system can provide 100% security, therefore I assume you agree that an operating system cannot provide 100% security. Maybe because it's out of its scope, either due to limitations or usability (because in the real world, whatever you'd like it to do it just can't be done without lots and lots of headaches).
There's nothing that will provide 100% security at this point. Maybe if we can ever get provable code to be efficient, or if we ever move away from our current languages, and solve a ton of other problems, it will happen. Until then there is no 100%.
That's why an OS can't enforce 100%. 100% simply isn't the goal.
There isn't a situation where the OS isn't at fault, because either a policy was bypassed, or not written properly, or a policy simply didn't exist.
But I can't demonstrate any of this yet, and the ideas I have are really just the sum of everything I've learned. I don't think I'd be very convincing in a conversation about this.
At this point it's more of a belief or hypothesis, which I hope to prove at a later date. Until then I don't expect to be convincing anyone of any of it.
Maybe I'm being naive here but isn't the browser the weakest link rather than the OS?
If they mean straight-outa-da-box with NO other Apps etc in place, then it "could" be. But it would still have be presented with a dodgy www and/or local intrusion etc. If that never happens, then it's 100% safe
Anyway that 21 is of right now. I fully expect LOTS more exploitable holes to be discovered in W8, Plus as usual, what about the "Known Unknowns"
So i VERY much doubt it is 21 !
XP just like 98 can be made as safe as anything, & Lots of us have done so
The OS is responsible for security, regardless of the attack vector. So while the browser, or browser plugins may be what the attacker uses to get in it's the operating systems job to handle security.
Chrome is interesting because it handles Flash's security for it. It uses a privilege model to broker something that isn't really its responsibility, and that's a very large part of what makes it secure.
Operating systems at this time don't really take responsibility, so third party developers are forced to. It's a shame, but it's how it has to be. Unfortunately Microsoft is being incredibly stupid and locking third party developers out, while not really improving their security model as much as they should be. Not that any third party devs seem particularly competent, save a few.
One interesting model is Android. That leverages the operating system to provide a very secure system. You can say "Oh, there's socially engineered malware" but in virtually every case you can simply long hold the app and drag it away to uninstall it. You can't get that on Windows. With Android the malware is so limited that even when infection occurs it's incredibly easy to remove it.
Part of that is a lack of root, a very large part is that Android's model simply makes it harder for attackers. I'm not calling Android perfect or even ideal, but it's way ahead of Windows because the OS actually takes responsibility for application security.
Separate names with a comma.